From: Stav Aviram <saviram@nvidia.com> mainline inclusion from mainline-v6.17-rc1 commit 70f238c902b8c0461ae6fbb8d1a0bbddc4350eea category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICUC9M CVE: CVE-2025-38645 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- Add a NULL check before accessing device memory to prevent a crash if dev->dm allocation in mlx5_init_once() fails. Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core") Signed-off-by: Stav Aviram <saviram@nvidia.com> Link: https://patch.msgid.link/c88711327f4d74d5cebc730dc629607e989ca187.1751370035... Signed-off-by: Leon Romanovsky <leon@kernel.org> Conflicts: drivers/infiniband/hw/mlx5/dm.c drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c drivers/net/ethernet/mellanox/mlx5/core/main.c drivers/infiniband/hw/mlx5/main.c [Fanhua Li: avoid NULL pointer deref when dev->dm is not initialized] Signed-off-by: Fanhua Li <lifanhua5@huawei.com> --- drivers/infiniband/hw/mlx5/main.c | 3 +++ drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c | 4 ++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 3 --- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c index 982be8a8bba8..6baab01526d1 100644 --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -2384,6 +2384,9 @@ static int handle_alloc_dm_memic(struct ib_ucontext *ctx, dm->size = roundup(attr->length, MLX5_MEMIC_BASE_SIZE); + if (!dm_db) + return -EOPNOTSUPP; + err = mlx5_cmd_alloc_memic(dm_db, &dm->dev_addr, dm->size, attr->alignment); if (err) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c index 3d5e57ff558c..15ee84a2a470 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/dm.c @@ -25,7 +25,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev) dm = kzalloc(sizeof(*dm), GFP_KERNEL); if (!dm) - return ERR_PTR(-ENOMEM); + return NULL; spin_lock_init(&dm->lock); @@ -61,7 +61,7 @@ struct mlx5_dm *mlx5_dm_create(struct mlx5_core_dev *dev) err_steering: kfree(dm); - return ERR_PTR(-ENOMEM); + return NULL; } void mlx5_dm_cleanup(struct mlx5_core_dev *dev) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c index d4712fbc7856..392dfba3d281 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c @@ -884,9 +884,6 @@ static int mlx5_init_once(struct mlx5_core_dev *dev) } dev->dm = mlx5_dm_create(dev); - if (IS_ERR(dev->dm)) - mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm)); - dev->tracer = mlx5_fw_tracer_create(dev); dev->hv_vhca = mlx5_hv_vhca_create(dev); dev->rsc_dump = mlx5_rsc_dump_create(dev); -- 2.34.1